Description
Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.
Published: 2026-06-09
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Svelte allows spread syntax to inject arbitrary attributes from data into rendered elements. When that data originates from an untrusted source, event handler attributes (e.g. onclick, onmouseover) are rendered as real event listeners in the browser. If an attacker supplies malicious event handlers and the victim’s browser executes the page with JavaScript enabled, the attacker can run arbitrary code in the context of the trust domain. This type of XSS is limited to browsers that have JavaScript active and only triggers if the Svelte hydration does not attach before the event occurs.

Affected Systems

The vulnerability affects all releases of Svelte for which the framework’s SSR rendering performs full spread attribute expansion without filtering. Versions prior to the 5.55.7 release contain the flaw; the patch was applied in 5.55.7 to exclude event handler properties from spreads. Applications using the affected library must verify the installed version and upgrade if it falls below 5.55.7.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as a moderate severity vulnerability. EPSS data is not available, but the issue is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation at the time of this analysis. The exploit requires an attacker to control the data that is spread into the template on a page that has JavaScript enabled, and the event must fire before Svelte’s hydration logic attaches to the element. Attackers can leverage this to execute arbitrary JavaScript within the victim’s browser session, potentially leading to credential theft, session hijacking, or data exfiltration.

Generated by OpenCVE AI on June 9, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Svelte framework to version 5.55.7 or later, which removes the event handler properties from spread attributes.
  • Avoid using spread syntax with untrusted or user‑controlled data in SSR templates; instead bind attributes explicitly to known safe values.
  • If an upgrade is not yet possible, ensure that any data passed into the template is sanitized or escaped so that event handler prefixes are removed before rendering.

Generated by OpenCVE AI on June 9, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pr6f-5x2q-rwfp Svelte SSR vulnerable to cross-site scripting via spread attributes
History

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Svelte
Svelte svelte
Vendors & Products Svelte
Svelte svelte

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7.
Title Cross-site scripting via spread attributes in Svelte SSR
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Svelte Svelte
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:39:04.806Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42599

cve-icon Vulnrichment

Updated: 2026-06-09T18:28:34.131Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:07.550

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-42599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses